How do I know if my small business is covered by the Privacy Act?

On this page

Is my small business covered by the Privacy Act?

Generally speaking, most small businesses will not have to comply with the Privacy Act 1988 (Privacy Act). However there are exceptions. A small business with an annual turnover of $3 million or less will have to comply with the Privacy Act if it is:

If your business has an annual turnover of $3 million dollars or less and meets one of the criteria above, the Privacy Act will apply to your business or some aspects of it.

To check whether you need to comply, you can complete the Privacy checklist for small business, or seek advice from your industry association or lawyer. The precise definition of an exempt small business is set out in section 6D of the Privacy Act.

What does 'trading in personal information' mean?

A business is 'trading' in personal information if it collects from or discloses to someone else, an individual's personal information for a benefit, service or advantage. A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service.

Trading in personal information generally means buying, selling or bartering personal information. For example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial gain.

A business is not trading in personal information if it gives or receives personal information for a benefit, service or advantage and it:

has the consent of all the individuals concerned; or

only does so when authorised or required by law.

If you trade in personal information you will have to comply with the Australian Privacy Principles in the Privacy Act. Complying with the Privacy Act does not prevent you from collecting personal information for your business needs, but it does mean you must follow the rules about how to handle that information.

What does it mean to get the consent of an individual?

If a business is buying or selling personal information and does not want to be subject to the Privacy Act, it will need the consent of every individual concerned before the sale is completed. For further guidance on the scope and meaning of consent, refer to Chapter B of the APP guidelines.